How to configure limited user account, that can only manage users
by Mariusz Chruscielewski - Info.nl
Hi. We were using Keycloak 3.4.3 and we had account for customer service, that can manage users.
Client roles (for selected realms): impersonation, manage-users, view-users
After upgrade to KC 4.8.2, user can login, but when he selects realm, Forbidden message is shown. After assigning “view-realm” role, it works, but user see too much in menu that we want him to.
Left menu contains:
Configure (Realm Settings, Roles, User Federation, Authentication)
Manage (Users, Groups, Sessions)
Isn’t there any way to hide “Configure” part of menu, and show only “Manage” ?
Regards
Mariusz
[cid:image001.png@01D4CA9D.3FE58670]
6 years, 8 months
Getting a user's CredentialRepresentation via the REST API
by Doswald Alistair
Hello,
I've been looking to get a user's CredentialRepresentation(s) via the REST API but it doesn't seem possible. Getting the UserRepresentation doesn't get the user's credentials and I haven't found another function (this is with Keycloak 4.8.3.Final).
Am I missing something? Or if not is this a bug (credentials should be sent with the UserRepresentation) or a design decision (sending credentials over the REST API would be a security flaw).
Best regards,
Alistair Doswald
6 years, 8 months
Help with non-browser authentization flow
by Noah Silverman
Hello,
I'm building a REST based API for users to access things on our server.
The Keycloak browser based authentication workflow is great, and I'd like to offer something similar to someone writing a REST client.
i.e.:
1) POST your username and password to the Keycloak server
2) Receive a authorization_code back from Keycloak
3) Call OUR REST endpoint with the Keycloak authorization_code
4) Our software does a "back channel" call to Keycloak server to exchange the authorization_code for access token.
5) We then reply to the user with the JIT as a unique token for access our REST API
This is super easy using the browser to visit the Keycloak login page (the standard workflow covers steps 1-3 above).
How can I configure Keycloak to allow the same flow without a browser?
Thank You!
--
Noah
6 years, 8 months
Add a new entry in the menu to the left of the admin console
by Luca Stancapiano
I would like to add a new entry in the menu to the left of the admin console. The item information is on the html templates / menu.html page. I can not however overwrite the templates placed in the templates directory, but only the pages in the resources folder. Is it something wanted? How do I need to overwrite that page or add a new entry?
6 years, 8 months
Is Keycloak ONLY for securing URL based Calls
by kapil joshi
Hi All,
Is Keycloak ONLY for securing URL based Calls ? Can we secure a cli login
to box via Keycloak. I may sound goofy, but is it possible to authenticate
a user login to linux box which has keycloak installed in it, against
Keycloak.
Thanks & regards
Kapil
6 years, 8 months
Re: [keycloak-user] Configuring SMTP settings via rest API
by kapil joshi
Hi Tony,
Thanks for this idea, I'm able to save the SMTP alone via this API. But I
realised that i should have user with client role of realm-management with
manage-realms priviledge.
I was hoping kind of avoid assigning this role. Please let me know if you
have any solutions to this situation.
Thanks again for your help
Kapil
On Wed, Feb 20, 2019 at 12:18 AM Tony Harris <Tony.Harris(a)oneadvanced.com>
wrote:
> There is a GET method GET /admin/realms/{realm} that returns the
> RealmRepresentation as a JSON object and a PUT method that takes the
> RealmRepresentation and should allow you to do update the SMTP settings.
>
> See
> https://www.keycloak.org/docs-api/3.0/rest-api/index.html#_realms_admin_r...
>
> -----Original Message-----
> From: keycloak-user-bounces(a)lists.jboss.org [mailto:
> keycloak-user-bounces(a)lists.jboss.org] On Behalf Of kapil joshi
> Sent: 19 February 2019 14:59
> To: Felix Knecht <Felix.Knecht(a)hrm-systems.ch>;
> keycloak-user(a)lists.jboss.org
> Subject: Re: [keycloak-user] Configuring SMTP settings via rest API
>
> Hi all,
>
> Just rechecking, of there is a solution to this issue, please let us know.
>
> Kapil
>
> On Fri, 15 Feb 2019, 17:51 kapil joshi, <kapilkumarjoshi001(a)gmail.com>
> wrote:
>
> > Thanks Felix, but i was looking more from rest api end, as im using
> > javascript adapter of keycloak.
> >
> > Can someone point to the rest API way of saving SMTP settings.
> >
> > Thanks
> > Kapil
> >
> >
> > On Fri, Feb 15, 2019 at 5:50 PM kapil joshi
> > <kapilkumarjoshi001(a)gmail.com>
> > wrote:
> >
> >> Thanks Felix, but i was looking more from rest api end, as im using
> >> javascript adapter of keycloak.
> >>
> >> Can someone point to the rest API way of saving SMTP settings.
> >>
> >> Thanks & regards
> >> Kapil
> >>
> >> On Fri, Feb 15, 2019 at 3:42 PM Felix Knecht
> >> <Felix.Knecht(a)hrm-systems.ch>
> >> wrote:
> >>
> >>> Hi Kapil
> >>>
> >>> I use something like
> >>>
> >>> Keycloak keycloak = KeycloakBuilder.builder()
> >>> .serverUrl(serverUrl)
> >>> .realm(realm)
> >>> .clientId(clientId)
> >>> .clientSecret(clientSecret)
> >>> .username(username)
> >>> .password(password)
> >>> .build();
> >>> RealmRepresentation smtpRealm = new RealmRepresentation();
> >>> Map<String, String> smtpServer = new HashMap<>();
> >>> smtpServer.put("host", myHost);
> >>> smtpServer.put("port", myPort);
> >>> smtpServer.put("from", myFrom);
> >>> smtpServer.put("auth", "true");
> >>> smtpServer.put("user", mySmtpUser);
> >>> smtpServer.put("password", mySmtpPassword);
> >>> smtpRealm.setSmtpServer(smtpServer);
> >>> keycloak.realms().realm(myRealm).update(smtpRealm);
> >>>
> >>> Regards
> >>> Felix
> >>>
> >>>
> >>> > -----Ursprüngliche Nachricht-----
> >>> > Von: keycloak-user-bounces(a)lists.jboss.org <keycloak-user-
> >>> > bounces(a)lists.jboss.org> Im Auftrag von kapil joshi
> >>> > Gesendet: Donnerstag, 14. Februar 2019 19:49
> >>> > An: keycloak-user(a)lists.jboss.org
> >>> > Betreff: [keycloak-user] Configuring SMTP settings via rest API
> >>> >
> >>> > Hi all,
> >>> >
> >>> > I wanted one small example of configuring SMTP settings via rest API.
> >>> >
> >>> > We are planning to create one similar UI as like keycloak. But use
> >>> rest API to set it.
> >>> >
> >>> > Also how to test the saved settings, like is it saved or not
> >>> >
> >>> > Thanks
> >>> > Kapil
> >>> > _______________________________________________
> >>> > keycloak-user mailing list
> >>> > keycloak-user(a)lists.jboss.org
> >>> > https://lists.jboss.org/mailman/listinfo/keycloak-user
> >>>
> >>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
>
> ________________________________
>
> Please consider the environment: Think before you print!
>
>
> This message has been scanned for malware by Websense. www.websense.com
>
6 years, 8 months
list all permissions using "keycloak-admin-client"
by mohsen fatahi
Hi, I am using "keycloak-admin-client" for managing roles and users. I want
to get all permissions that are in a client. but there is no API to handle
this. There are APIs for create or getByName or getById separately for
scope & resource based permissions. I want to list all permissions(scope &
resource) and show it to admin.
best regards. mohsen
6 years, 8 months
Tomcat session timeout using spring-security adapter
by Ken Haendel
Hello Keycloak users,
I want to secure a web-app using tomcat and the spring-security adapter.
Since the token timeout values are configured in the Keycloak,
1.
to which value should i set the tomcat session timeout to not interfere
with the keycloak token timeouts.
Currently my settings in web.xml are:
<session-config>
<!-- must be set to infinite for keycloak ??? -->
<session-timeout>-1</session-timeout>
<cookie-config>
<http-only>true</http-only>
<secure>true</secure>
</cookie-config>
<tracking-mode>COOKIE</tracking-mode>
</session-config>
and
2.
is there a disadvantage to use indefinite sessions?
Thank you in advance and kind regards,
Ken
6 years, 8 months
Client not allowed to exchange
by Andrew J. Alexander
I am getting a returned value of "client not allowed to exchange"
Feb 19 17:20:39 keycloak-0ea709bc8787a3a29 standalone.sh[1149]:
#033[0m#033[33m17:20:39,754 WARN [org.keycloak.events] (default task-21)
type=TOKEN_EXCHANGE_ERROR, realmId=master, clientId=client-id-here,
userId=null, ipAddress=192.168.1.13, error=not_allowed, reason='client not
allowed to exchange subject_issuer', auth_method=token_exchange,
grant_type=urn:ietf:params:oauth:grant-type:token-exchange,
subject_issuer=facebookdev, client_auth_method=client-secret
What's the problem here? Is it due to an issue with my client-secret (I am
guessing this as I'm not currently passing in a value)? Is it due to some
setting on the client itself?
I've set Access Type to public, direct grants are enabled and the protocol
is openid-connect
Does anyone have any experience with this? I am attempting to do a token
exchange
6 years, 8 months
